Features: February 18th, 2011

The public handels a vast quanitiey of sensitive data and it is rightly subject to high levels of scrutiny about the way data is protected, Stuart Feargrieve of Axway UK, describes the widespread risks of data getting into the wrong hands. He also explains what can be done to limit the risks.

The risks of data leakage are particularly pronounced in the public sector, especially with recent high-profile incidents that have been pounced upon and publicised, which can be intensely embarrassing for an organisation. Not only this, but the Information Commissioners Office (ICO) has recently started to show its teeth with its first ever fines for data security breaches. More than ever, public sector organisations need to keep their data protection policies in check to avoid punitive fines and mountains of negative publicity.

The particularly sensitive nature of data handled by public sector bodies means that they are often at higher risk than many private sector companies. The data held is inherently more valuable and data breaches will often be taken more seriously by regulators and the public. The public sector is, quite rightly, subject to a much higher degree of scrutiny and this demands the very best of best practices if the risk is to be managed effectively.

Email, make it foolproof

In practice, email is one of the areas most vulnerable to data loss, whether negligent or malicious, and it is imperative that as much as possible is done to mitigate this risk. In studying the behaviour of workers it has been found that an alarming number of people use personal webmail accounts to transfer work files when data security protocols or email client interfaces frustrate and prevent them from doing their job. A study carried out by MeriTalk last year found that in the US Federal government 52 per cent of employees bypassed their work email accounts when sending files. If this practice is replicated on this side of the pond this should be a very worrying statistic indeed.

Other points of concern highlighted by the research are that 66 per cent of employees use unencrypted physical media (tapes, USB sticks, CDs etc.) and 60 per cent use insecure FTP sites to transfer work files. Both of these methods are to be avoided if possible due to the inherently risky nature of the systems and are the kind of avoidable negligence that can attract ICO fines.

However, this trend is not just prevalent in the US; the ICO said last year that a quarter of all data breaches that are reported relate to the NHS. Not only this, but amongst the first fines issued by the ICO was a £100,000 bill given to Hertfordshire County Council for unwittingly faxing information relating to sexual abuse of children to a member of the public rather than their barristers. Humans are fallible creatures so mistakes like this will always be possible but, they can be reduced significantly by automated systems that can apply a well crafted security policy as an effective defence.

Being able to transfer data from one place to another is essential to the running of any modern organisation or business. Indeed, with many organisations widely geographically dispersed it would be impossible to operate without it. However, there is no reason why this cannot be done in a way that minimises the risks of anything going awry. Starting with a system that secures all outgoing email and allows files that would be traditionally too large for an email server to be transmitted would reduce the exposure of sensitive data and be a good place to start.

People are the first line of defence

A sad fact of life for network managers is that even if the systems they put in place are flawlessly designed and executed, people are still capable of making mistakes. More often than not, the root cause of data loss is human error – be it through ignorance or negligence. As such it is vital that employees working with sensitive and valuable data are properly educated about their role and responsibility with regard to the Data Protection Act (DPA) and how actions that might seem innocent enough, such as transferring data to a USB stick to work on at home, can lead to public censure and fines from the ICO – how many news stories have you read about such things being left in taxis and on trains?

After education the next most important thing is to ensure that you have up to date data protection policies and procedures and that the technical aspects are all updated. Once the policies are in place then it is essential that they are enforced and, where possible, deployed as integral software component of the organisations e-mail solution.

Lastly, and perhaps most importantly, employees have to be empowered and enabled to follow the policies put in place. It would be self-defeating to have an excellent data security policy and education combined with technology and software that interferes with following it. For example, if you require that all files that need to be transferred electronically must go through the organisation’s encrypted e-mail servers, this becomes completely redundant when the files being transferred are too large to be transmitted. This technical deficiency would frustrate employees and often force them to use insecure media to carry out their jobs effectively, even if they know they shouldn’t. An email security system that interfaces into the organisation’s default email client (for example Outlook) with a comprehensive policy enforcement engine will enable large files to be transmitted securely while security policies and procedures are adhered to automatically.

In the end, the critical decisions regarding data protection and loss prevention are made by employees. Public sector organisations are posed a unique set of challenges and risks by the often sensitive data they hold and use every day. Insecure methods for file transfers risks exposing data to malicious attacks and interception that some private sector organisations just wouldn’t be faced with. When data is in motion or at rest you cannot underestimate the value of effective IT systems, suitable education and well thought out policies in safeguarding sensitive data.

The essential ingredients of data loss prevention

The security policy needs to include:
o Adequate governance of sensitive data – unnecessary transmission of data off-premises should be avoided at all costs
o All data that does leave the premises must be securely encrypted in case of loss
o Access to sensitive data should only be permitted to staff with a valid need for it
o Prevent confidential data from being transferred to portable media such as USB sticks or CDs where avoidable
o Monitor all outbound data for data security risks – prevent unpermitted outbound transmission of sensitive files
o Ensure all employees with access to sensitive data are educated about the role under the DPA and how to use the internal systems

• Employ adequate technology
o Any IT solution for data protection must be as comprehensive as possible to address future needs
o IT systems should not prevent users from fulfilling their obligations and duties under the DPA and internal security policies

• Don’t forget non-electronic security
o Ensure that sensitive data existing in hard-copy is appropriately destroyed after use – IT and security policies will become redundant if sensitive data is left lying around. Digitising such data and storing it securely is a service offered by a number of providers – make sure it is moved securely with a best in class managed File Transfer solution. Gartner produces a Magic Quadrant that can point to the leaders in this space.

Stuart Feargrieve is Managing Director, Axway UK.